dc => {},
};
- foreach my $vmid (keys %$idlist, '__phantom__') {
- my $perm = $rpcenv->permissions($authuser, "/vms/$vmid");
+ my $extract_vm_caps = sub {
+ my ($path) = @_;
+
+ my $perm = $rpcenv->permissions($authuser, $path);
foreach my $priv (keys %$perm) {
- next if !($priv eq 'Permissions.Modify' ||$priv =~ m/^VM\./);
+ next if !($priv eq 'Permissions.Modify' || $priv =~ m/^VM\./);
$res->{vms}->{$priv} = 1;
}
+ };
+
+ foreach my $pool (keys %{$usercfg->{pools}}) {
+ &$extract_vm_caps("/pool/$pool");
+ }
+
+ foreach my $vmid (keys %$idlist, '__phantom__') {
+ &$extract_vm_caps("/vms/$vmid");
}
foreach my $storeid (@sids, '__phantom__') {
my $rpcenv = PVE::RPCEnvironment::get();
my $res;
-
eval {
# test if user exists and is enabled
$rpcenv->check_user_enabled($username);
if (my $err = $@) {
my $clientip = $rpcenv->get_client_ip() || '';
syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
- die $err;
+ # do not return any info to prevent user enumeration attacks
+ die PVE::Exception->new("authentication failure\n", code => 401);
}
$res->{cap} = &$compute_api_permission($rpcenv, $username);